03-03-2020 08:53 AM - edited 03-03-2020 01:35 PM
Given the Prisma Cloud SaaS, I am trying to create my 1st custom policy to detect and remediate overly permissive SecurityGroupIngress rules in AWS cloud.
My RQL below is valid and returns a half-dozen or so results...
event where cloud.type = 'aws' AND cloud.account.group = 'Test' AND operation IN ('AuthorizeSecurityGroupIngress') AND json.rule = ( $.requestParameters.ipPermissions.items[*].ipRanges.items[*].cidrIp contains '0.0.0.0/0' OR $.requestParameters.ipPermissions.items[*].ipv6Ranges.items[*].cidrIpv6 contains '::/0' )
My AWS CLI remediation command looks like this...
aws ec2 revoke-security-group-ingress --group-id ${resourceId} --region ${region} --ip-permissions '[{"IpProtocol":"${protocol}", "FromPort":${fromPort}, "ToPort":${toPort}, "Ip${ipV4/6}Ranges":[{"CidrIp${ipV4/6}":"${cidr}"}]}]'
When I push the "Validate Syntax" button, the system renders a dialog box, "Unsupported Cloud Type For Remediation".
This policy closely resembles the Prisma Cloud Default Policy, AWS Security groups allows internet traffic
What am I doing wrong?
